The program analyzes events using IOA rules. Kaspersky Lab experts provide a set of IOA rules which contain samples of the most frequent suspicious actions in the user's system. In addition, users can create their own IOA rules.
The web interface of the program allows users with the Senior security officer role to manage IOA rules: add, delete, enable and disable the rules, and add IOA rules by Kaspersky Lab to the white list. Users with the Senior security officer or Security officer roles can use IOC rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the IOA rule table and IOA rule information.
The differences between user rules and Kaspersky Lab rules are summarized in the following table.
Comparison of IOA rules
Characteristic |
User rules |
Kaspersky Lab rules |
|---|---|---|
Recommendations on responding to the event |
None |
Yes You can view recommendations in alert information |
Correspondence to technique in MITRE ATT&CK database |
None |
Yes You can view the description of the technique according to the MITRE database in alert information |
IOA rule table display |
Yes |
None |
Ability to disable database lookup for this rule |
||
Ability to delete or add the rule |
You can delete or add a rule in the web interface of the program |
Rules are updated together with program databases and cannot be deleted by the user |
Using Alerts and Events links in the IOA rule information window |
Using Alerts and Events links in the alert information window |
Depending on the program operating mode and the server on which the IOA rules are created, custom IOA rules can be one of the following types: